Skip to main content

Trust Delegation

What is Trust Delegation?

Trust delegation is the process of allowing a human user to transfer a bounded subset of their own authority to an autonomous AI agent. The agent receives a delegated token — a short-lived credential that carries the agent's identity and only the exact permissions the user has explicitly granted.

The agent cannot expand its own access, request permissions it hasn't been assigned, or act outside the scope you define. Every action it takes is explicitly authorized and traceable back to your configuration.


Why Trust Delegation Matters

AI agents often need to act on behalf of users — reading data, calling APIs, writing results — but granting an agent full user-level access creates risk. Trust delegation solves this by enforcing least privilege at the token level:

Without Trust DelegationWith Trust Delegation
Agent inherits broad user permissionsAgent receives only the scopes it needs
Hard to audit what the agent didEvery token carry explicit claims
Credential compromise = full accessCompromise limited to scoped, short-lived token
Manual revocation requiredTokens expire automatically

Key Concepts

Delegated Token A short-lived OAuth 2.0 token issued to an agent. It contains only the permissions that pass all three checks: assigned via a role binding, listed in the client's allowed scopes, and explicitly requested by the agent.

Role Binding Links a specific agent identity (its client ID) to a role. The role defines what the agent is allowed to do — but this alone does not grant access.

Allowed Scopes A list on the client entry that caps what the agent can ask for in a token request. Even if the agent's role includes additional permissions, it can only request what is in this list.

SPIFFE Identity Each agent is issued a cryptographic SPIFFE ID (e.g. spiffe://tenant-uuid/agent/.../agent-name) by the SPIRE agent. This identity is embedded in the delegated token, making it unforgeable and cryptographically verifiable.


How It Fits Together

The current mechanism is ID-JAG (Identity Assertion JWT Authorization Grant, also called cross-app access / XAA): the user signs in once, the agent exchanges proof of that login for a scoped, short-lived token that carries both identities:

User logs in through the agent (OIDC / browser login)

Agent exchanges the id_token for an ID-JAG (token-exchange)

Agent redeems the ID-JAG at the target server's AS (jwt-bearer)

Scoped access token: sub = the user, act.client_id = the agent
(first-time access requires one-time admin approval)

AuthSec still enforces the intersection — the token only carries scopes that pass all checks: granted by the user's/agent's role, allowed for the client, and requested in this call.

The Python SDK implements the whole chain in one call — see the ID-JAG delegation guide for agent registration, code, approval, and revocation with dashboard screenshots.


When to Use Trust Delegation

Use trust delegation whenever an AI agent or autonomous workload needs to:

  • Call internal APIs or data services on a user's behalf
  • Write results, logs, or artifacts to a storage system
  • Interact with downstream services in a multi-agent pipeline
  • Perform scheduled or event-driven tasks without a human in the loop

Next Steps